tls

package
v1.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package tls provides shared TLS utilities for Kubernaut services. Issue #493: TLS for inter-pod HTTP communication.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultBaseTransport 

func DefaultBaseTransport() (http.RoundTripper, error)

DefaultBaseTransport returns an http.RoundTripper pre-configured with the CA certificate at $TLS_CA_FILE (if set). When TLS_CA_FILE points to a valid CA file, a process-level CAReloader is initialized and returned as the RoundTripper — this enables hot-reload when the CA file is rotated.

When TLS_CA_FILE is unset or empty, returns a plain http.Transport.

Issue #753: Uses retry-capable lazy init instead of sync.Once. If the CA file is not yet available (e.g., Secret not mounted), subsequent calls will retry instead of failing permanently.

func DefaultBaseTransportWithRetry added in v1.3.2 

func DefaultBaseTransportWithRetry() (http.RoundTripper, error)

DefaultBaseTransportWithRetry returns DefaultBaseTransport wrapped with a RetryTransport using default retry configuration (3 attempts, exponential backoff with 20% jitter). Use this for inter-service HTTP clients that should survive transient failures (connection reset, 502/503/504).

IMPORTANT: Do NOT use for the audit client — it has its own application-level retry in BufferedAuditStore.writeBatchWithRetry (DD-AUDIT-003).

Issue #853: Inter-service HTTP clients lack retry/circuit-breaker.

func LoadCACert 

func LoadCACert(caFile string) (*x509.CertPool, error)

LoadCACert loads a PEM-encoded CA certificate from the given file path and returns an x509.CertPool containing the CA.

func NewTLSTransport 

func NewTLSTransport(caFile string) (*http.Transport, error)

NewTLSTransport creates an http.Transport configured with a custom CA pool for verifying server certificates on outbound HTTPS calls.

func ResetDefaultTransportForTesting 

func ResetDefaultTransportForTesting()

ResetDefaultTransportForTesting resets the singleton CAReloader so that tests run with a clean slate. Must only be called from test code.

func StartCAFileWatcher 

func StartCAFileWatcher(ctx context.Context, logger logr.Logger) (*hotreload.FileWatcher, error)

StartCAFileWatcher initializes the CA reloader singleton and starts a FileWatcher on $TLS_CA_FILE. Returns nil watcher if TLS_CA_FILE is unset. The returned watcher must be stopped by the caller (defer watcher.Stop()).

Types

type CAReloader 

type CAReloader struct {
	// contains filtered or unexported fields
}

CAReloader is an http.RoundTripper that supports hot-reloading of the TLS CA certificate pool. When the CA file is rotated (e.g., by the OCP service-ca operator), the FileWatcher calls ReloadCallback which builds a new http.Transport with the fresh cert pool and swaps it atomically.

Existing in-flight requests complete on the old transport; new requests use the updated one.

Issue #756: Generalized from pkg/effectivenessmonitor/client for all inter-service TLS communication.

Thread safety: all public methods are safe for concurrent use.

func NewCAReloader 

func NewCAReloader(pemData []byte) (*CAReloader, error)

NewCAReloader creates a CAReloader initialized with the given PEM certificate data. Returns an error if pemData contains no valid PEM certificates or is empty.

func NewCAReloaderFromFile 

func NewCAReloaderFromFile(path string) (*CAReloader, error)

NewCAReloaderFromFile creates a CAReloader by reading PEM data from a file. Error message preserves compatibility with existing test expectations.

func (*CAReloader) CurrentTransport 

func (r *CAReloader) CurrentTransport() *http.Transport

CurrentTransport returns the currently active http.Transport (snapshot).

func (*CAReloader) GetCertPool 

func (r *CAReloader) GetCertPool() *x509.CertPool

GetCertPool returns the currently active certificate pool (snapshot).

func (*CAReloader) ReloadCallback 

func (r *CAReloader) ReloadCallback(newContent string) error

ReloadCallback parses newContent as PEM, builds a fresh cert pool, and atomically replaces the underlying http.Transport. If the PEM is invalid, the previous transport is preserved and an error is returned.

This function satisfies the hotreload.ReloadCallback signature.

func (*CAReloader) RoundTrip 

func (r *CAReloader) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper. Each call reads the current transport under a read lock, then delegates. The lock is held only for the pointer copy, not for the network I/O.

type CertReloader 

type CertReloader struct {
	// contains filtered or unexported fields
}

CertReloader supports hot-reloading of TLS server certificates. It implements the tls.Config.GetCertificate callback pattern, allowing Kubernetes Secret rotation to be picked up without restarting the server. Thread-safe: concurrent GetCertificate calls and ReloadCallback are serialized via RWMutex.

Issue #756: TLS certificate rotation for inter-service communication.

func ConfigureConditionalTLS 

func ConfigureConditionalTLS(server *http.Server, certDir string) (bool, *CertReloader, error)

ConfigureConditionalTLS configures the server for TLS if cert files exist in certDir. Returns (true, reloader, nil) if TLS was configured with hot-reload support, (false, nil, nil) if no certs found (plain HTTP), or (false, nil, error) if certs exist but are invalid.

Issue #756: Returns a CertReloader that can be wired to a FileWatcher for zero-downtime certificate rotation.

func NewCertReloader 

func NewCertReloader(certFile, keyFile string) (*CertReloader, error)

NewCertReloader creates a CertReloader that loads the initial certificate from disk. Returns error if the initial load fails (fail-fast at startup).

func (*CertReloader) GetCertificate 

func (r *CertReloader) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the current certificate for TLS handshakes. Safe for concurrent use from multiple goroutines (TLS accept loop).

func (*CertReloader) ReloadCallback 

func (r *CertReloader) ReloadCallback(_ string) error

ReloadCallback re-reads both cert and key files from disk. The content argument is ignored because Kubernetes Secret updates are atomic (symlink swap of the entire directory), so we must re-read both files together rather than using the single-file content provided by FileWatcher.

On failure, the previous certificate is preserved (graceful degradation). This function satisfies the hotreload.ReloadCallback signature.

type TLSConfig 

type TLSConfig struct {
	// CertDir is the directory containing tls.crt and tls.key files.
	// When empty, TLS is disabled.
	CertDir string `yaml:"certDir,omitempty"`

	// CAFile is the path to the CA certificate for client trust.
	// Used by services that make outbound HTTPS calls.
	CAFile string `yaml:"caFile,omitempty"`
}

TLSConfig holds TLS configuration shared across services.

func (TLSConfig) CertPath 

func (c TLSConfig) CertPath() string

CertPath returns the full path to the TLS certificate file.

func (TLSConfig) Enabled 

func (c TLSConfig) Enabled() bool

Enabled returns true when a cert directory is configured.

func (TLSConfig) KeyPath 

func (c TLSConfig) KeyPath() string

KeyPath returns the full path to the TLS private key file.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.